The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: banking Trojan

Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan

Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan
September 05, 2022Ravie Lakshmanan
The notorious Android banking trojan known as  SharkBot  has once again made an appearance on the Google Play Store by masquerading as antivirus and cleaner apps. "This new dropper doesn't rely on Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware," NCC Group's Fox-IT  said  in a report. "Instead, this new version asks the victim to install the malware as a fake update for the antivirus to stay protected against threats." The apps in question, Mister Phone Cleaner and Kylhavy Mobile Security, have over 60,000 installations between them and are designed to target users in Spain, Australia, Poland, Germany, the U.S., and Austria - Mister Phone Cleaner (com.mbkristine8.cleanmaster, 50,000+ downloads) Kylhavy Mobile Security (com.kylhavy.antivirus, 10,000+ downloads) The  droppers  are designed to drop a new version of SharkBot,  dubbed V2  by Dutch security firm ThreatFabric, which features an updated co

New Grandoreiro Banking Malware Campaign Targeting Spanish Manufacturers

New Grandoreiro Banking Malware Campaign Targeting Spanish Manufacturers
August 20, 2022Ravie Lakshmanan
Organizations in the Spanish-speaking nations of Mexico and Spain are in the crosshairs of a new campaign designed to deliver the  Grandoreiro  banking trojan.  "In this campaign, the threat actors impersonate government officials from the Attorney General's Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute 'Grandoreiro,' a prolific banking trojan that has been active since at least 2016, and that specifically targets users in Latin America," Zscaler  said  in a report. The ongoing attacks, which commenced in June 2022, have been observed to target automotive, civil and industrial construction, logistics, and machinery sectors via multiple infection chains in Mexico and chemicals manufacturing industries in Spain. Attack chains entail leveraging spear-phishing emails written in Spanish to trick potential victims into clicking on an embedded link that retrieves a ZIP archive

SOVA Android Banking Trojan Returns With New Capabilities and Targets

SOVA Android Banking Trojan Returns With New Capabilities and Targets
August 15, 2022Ravie Lakshmanan
The SOVA Android banking trojan is continuing to be actively developed with upgraded capabilities to target no less than 200 mobile applications, including banking apps and crypto exchanges and wallets, up from 90 apps when it started out. That's according to the latest findings from Italian cybersecurity firm Cleafy, which found newer versions of the malware sporting functionality to intercept two-factor authentication (2FA) codes, steal cookies, and expand its targeting to cover Australia, Brazil, China, India, the Philippines, and the U.K. SOVA, meaning Owl in Russian, came to light in  September 2021  when it was observed striking financial and shopping apps from the U.S. and Spain for harvesting credentials through overlay attacks by taking advantage of Android's Accessibility services. In less than a year, the trojan has also acted as a foundation for another Android malware called  MaliBot  that's designed to target online banking and cryptocurrency wallet custo

Roaming Mantis Financial Hackers Targeting Android and iPhone Users in France

Roaming Mantis Financial Hackers Targeting Android and iPhone Users in France
July 25, 2022Ravie Lakshmanan
The mobile threat campaign tracked as  Roaming Mantis  has been linked to a new wave of compromises directed against French mobile phone users, months after it expanded its targeting to include European countries. No fewer than 70,000 Android devices are said to have been infected as part of the active malware operation, Sekoia said in a report published last week. Attack chains involving  Roaming Mantis , a financially motivated Chinese threat actor, are known to either deploy a piece of banking trojan named MoqHao (aka XLoader) or redirect iPhone users to credential harvesting landing pages that mimic the iCloud login page. "MoqHao (aka Wroba, XLoader for Android) is an Android remote access trojan (RAT) with information-stealing and backdoor capabilities that likely spreads via SMS," Sekoia researchers  said . It all starts with a phishing SMS, a technique known as smishing, enticing users with package delivery-themed messages containing rogue links, that, when clic

MaliBot: A New Android Banking Trojan Spotted in the Wild

MaliBot: A New Android Banking Trojan Spotted in the Wild
June 16, 2022Ravie Lakshmanan
A new strain of Android malware has been spotted in the wild targeting online banking and cryptocurrency wallet customers in Spain and Italy, just weeks after a coordinated law enforcement operation dismantled  FluBot . The information stealing trojan, codenamed  MaliBot  by F5 Labs, is as feature-rich as its  counterparts , allowing it to steal credentials and cookies, bypass multi-factor authentication (MFA) codes, and abuse Android's Accessibility Service to monitor the victim's device screen. MaliBot is known to primarily disguise itself as cryptocurrency mining apps such as Mining X or The CryptoApp that are distributed via fraudulent websites designed to attract potential visitors into downloading them. It also takes another leaf out of the mobile banking trojan playbook in that it employs smishing as a distribution vector to proliferate the malware by accessing an infected smartphone's contacts and sending SMS messages containing links to the malware. "Mal

Latest Mobile Malware Report Suggests On-Device Fraud is on the Rise

Latest Mobile Malware Report Suggests On-Device Fraud is on the Rise
May 31, 2022Ravie Lakshmanan
An analysis of the mobile threat landscape in 2022 shows that Spain and Turkey are the most targeted countries for malware campaigns, even as a mix of new and existing banking trojans are increasingly targeting Android devices to conduct on-device fraud (ODF). Other frequently targeted countries include Poland, Australia, the U.S., Germany, the U.K., Italy, France, and Portugal. "The most worrying leitmotif is the increasing attention to On-Device Fraud (ODF)," Dutch cybersecurity company ThreatFabric  said  in a report shared with The Hacker News. "Just in the first five months of 2022 there has been an increase of more than 40% in malware families that abuse Android OS to perform fraud using the device itself, making it almost impossible to detect them using traditional fraud scoring engines." Hydra ,  FluBot  (aka Cabassous),  Cerberus ,  Octo , and  ERMAC  accounted for the most active banking trojans based on the number of samples observed during the same

New Octo Banking Trojan Spreading via Fake Apps on Google Play Store

New Octo Banking Trojan Spreading via Fake Apps on Google Play Store
April 08, 2022Ravie Lakshmanan
A number of rogue Android apps that have been cumulatively installed from the official Google Play Store more than 50,000 times are being used to target banks and other financial entities. The rental banking trojan, dubbed  Octo , is said to be a rebrand of another Android malware called ExobotCompact, which, in turn, is a "lite" replacement for its Exobot predecessor, Dutch mobile security firm ThreatFabric  said  in a report shared with The Hacker News. Exobot is also likely said to have paved the way for a separate descendant called Coper, that was initially  discovered  targeting Colombian users around July 2021, with newer infections targeting Android users in different European Countries. "Coper malware apps are modular in design and include a multi-stage infection method and many defensive tactics to survive removal attempts," Cybersecurity company Cyble  noted  in an analysis of the malware last month. Like other Android banking trojans, the rogue apps

Hackers Distributing Fake Shopping Apps to Steal Banking Data of Malaysian Users

Hackers Distributing Fake Shopping Apps to Steal Banking Data of Malaysian Users
April 06, 2022Ravie Lakshmanan
Threat actors have been distributing malicious applications under the guise of seemingly harmless shopping apps to target customers of eight Malaysian banks since at least November 2021. The attacks involved setting up fraudulent but legitimate-looking websites to trick users into downloading the apps, Slovak cybersecurity firm ESET said in a report shared with The Hacker News. The copycat websites impersonated cleaning services such as Maid4u, Grabmaid, Maria's Cleaning, Maid4u, YourMaid, Maideasy and MaidACall and a pet store named PetsMore, all of which are aimed at users in Malaysia. "The threat actors use these fake e-shop applications to phish for banking credentials," ESET  said . "The apps also forward all SMS messages received by the victim to the malware operators in case they contain 2FA codes sent by the bank." The targeted banks include Maybank, Affin Bank, Public Bank Berhad, CIMB bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank. Th

Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware

Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware
March 28, 2022Ravie Lakshmanan
A new email phishing campaign has been spotted leveraging the tactic of conversation hijacking to deliver the IcedID info-stealing malware onto infected machines by making use of unpatched and publicly-exposed Microsoft Exchange servers. "The emails use a social engineering technique of conversation hijacking (also known as thread hijacking)," Israeli company Intezer said in a report shared with The Hacker News. "A forged reply to a previous stolen email is being used as a way to convince the recipient to open the attachment. This is notable because it increases the credibility of the phishing email and may cause a high infection rate." The latest wave of attacks, detected in mid-March 2022, is said to have targeted organizations within energy, healthcare, law, and pharmaceutical sectors. IcedID, aka BokBot, like its counterparts TrickBot and  Emotet , is a  banking trojan  that has evolved to become an entry point for more sophisticated threats, including hu

SharkBot Banking Malware Spreading via Fake Android Antivirus App on Google Play Store

SharkBot Banking Malware Spreading via Fake Android Antivirus App on Google Play Store
March 07, 2022Ravie Lakshmanan
The threat actor behind a nascent Android banking trojan named  SharkBot  has managed to evade Google Play Store security barriers by masquerading as an antivirus app. SharkBot, like its malware counterparts  TeaBot ,  FluBot , and  Oscorp  (UBEL), belongs to a category of financial trojans capable of siphoning credentials to initiate money transfers from compromised devices by circumventing multi-factor authentication mechanisms. It first emerged on the scene in November 2021. Where SharkBot stands apart is in its ability to carry out the unauthorized transactions via Automatic Transfer Systems (ATS), which stands in contrast to TeaBot, which requires a live operator to interact with the infected devices to conduct the malicious activities. "The ATS features allow the malware to receive a list of events to be simulated, and they will be simulated in order to do the money transfers," Alberto Segura and Rolf Govers, malware analysts at cybersecurity firm NCC Group,  said

New Android Banking Trojan Spreading via Google Play Store Targets Europeans

New Android Banking Trojan Spreading via Google Play Store Targets Europeans
February 21, 2022Ravie Lakshmanan
A new Android banking trojan with over 50,000 installations has been observed distributed via the official Google Play Store with the goal of targeting 56 European banks and carrying out harvesting sensitive information from compromised devices. Dubbed  Xenomorph  by Dutch security firm ThreatFabric, the in-development malware is said to share overlaps with another banking trojan tracked under the moniker Alien while also being "radically different" from its predecessor in terms of the functionalities offered. "Despite being a work-in-progress, Xenomorph is already sporting effective overlays and being actively distributed on official app stores," ThreatFabric's founder and CEO, Han Sahin, said. "In addition, it features a very detailed and modular engine to abuse accessibility services, which in the future could power very advanced capabilities, like ATS." Alien, a remote access trojan (RAT) with notification sniffing and authenticator-based 2FA

Medusa Android Banking Trojan Spreading Through Flubot's Attacks Network

Medusa Android Banking Trojan Spreading Through Flubot's Attacks Network
February 08, 2022Ravie Lakshmanan
Two different Android banking Trojans, FluBot and Medusa, are relying on the same delivery vehicle as part of a simultaneous attack campaign, according to new research published by ThreatFabric. The ongoing side-by-side infections, facilitated through the same smishing (SMS phishing) infrastructure, involved the overlapping usage of "app names, package names, and similar icons," the Dutch mobile security firm said. Medusa, first discovered targeting Turkish financial organizations in July 2020, has undergone several iterations, chief among which is the ability to abuse accessibility permissions in Android to siphon funds from banking apps to an account controlled by the attacker. "Medusa sports other dangerous features like keylogging, accessibility event logging, and audio and video streaming — all these capabilities provide actors with almost full access to [a] victim's device," the researchers  said . The malware-ridden apps used in conjunction with Flu

Chaes Banking Trojan Hijacks Chrome Browser with Malicious Extensions

Chaes Banking Trojan Hijacks Chrome Browser with Malicious Extensions
January 27, 2022Ravie Lakshmanan
A financially-motivated malware campaign has compromised over 800 WordPress websites to deliver a banking trojan dubbed Chaes targeting Brazilian customers of Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre, and Mercado Pago. First documented by  Cybereason  in November 2020, the info-stealing malware is delivered via a sophisticated infection chain that's engineered to harvest sensitive consumer information, including login credentials, credit card numbers, and other financial information. "Chaes is characterized by the multiple-stage delivery that utilizes scripting frameworks such as JScript, Python, and NodeJS, binaries written in Delphi, and malicious Google Chrome extensions," Avast researchers Anh Ho and Igor Morgenstern  said . "The ultimate goal of Chaes is to steal credentials stored in Chrome and intercept logins of popular banking websites in Brazil." The attack sequence is triggered when users visit one of the infected websites

Mobile Banking Trojan BRATA Gains New, Dangerous Capabilities

Mobile Banking Trojan BRATA Gains New, Dangerous Capabilities
January 25, 2022Ravie Lakshmanan
The Android malware tracked as BRATA has been updated with new features that grants it the ability to record keystrokes, track device locations, and even perform a factory reset in an apparent bid to cover up fraudulent wire transfers. The latest variants, detected late last year, are said to be distributed through a downloader to avoid being detected by security software, Italian cybersecurity firm Cleafy said in a  technical write-up . Targets include banks and financial institutions in the U.K., Poland, Italy, and Latin America. "What makes Android RAT so interesting for attackers is its capability to operate directly on the victim devices instead of using a new device," Cleafy researchers  noted  in December 2021. "By doing so, Threat Actors (TAs) can drastically reduce the possibility of being flagged 'as suspicious', since the device's fingerprinting is already known to the bank." First seen in the wild at the end of 2018 and short for "B

New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification

New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification
January 05, 2022Ravie Lakshmanan
An ongoing  ZLoader  malware campaign has been uncovered exploiting remote monitoring tools and a nine-year-old flaw concerning Microsoft's digital signature verification to siphon user credentials and sensitive information. Israeli cybersecurity company Check Point Research, which has been tracking the sophisticated infection chain since November 2021, attributed it to a cybercriminal group dubbed MalSmoke , citing similarities with previous attacks. "The techniques incorporated in the infection chain include the use of legitimate remote management software (RMM) to gain initial access to the target machine," Check Point's Golan Cohen said in a report shared with The Hacker News. "The malware then exploits Microsoft's digital signature verification method to inject its payload into a signed system DLL to further evade the system's defenses." A banking trojan at its core, ZLoader has been employed by many an attacker to steal cookies, passwords

Microsoft Details Building Blocks of Widely Active Qakbot Banking Trojan

Microsoft Details Building Blocks of Widely Active Qakbot Banking Trojan
December 13, 2021Ravie Lakshmanan
Infection chains associated with the multi-purpose Qakbot malware have been broken down into "distinct building blocks," an effort that Microsoft said will help to proactively detect and block the threat in an effective manner. The Microsoft 365 Defender Threat Intelligence Team  dubbed   Qakbot a "customizable chameleon that adapts to suit the needs of the multiple threat actor groups that utilize it." Qakbot  is believed to be the creation of a financially motivated cybercriminal threat group known as  Gold Lagoon . It is a prevalent information-stealing malware that, in recent years, has become a precursor to many critical and widespread ransomware attacks, offering a malware installation-as-a-service that enables many campaigns. First discovered in 2007, the modular malware — like  TrickBot  — has  evolved  from its early roots as a banking trojan to become a Swiss Army knife capable of data exfiltration and acting as a delivery mechanism for the second st

Mekotio Banking Trojan Resurfaces with New Attacking and Stealth Techniques

Mekotio Banking Trojan Resurfaces with New Attacking and Stealth Techniques
November 03, 2021Ravie Lakshmanan
The operators behind the Mekotio banking trojan have resurfaced with a shift in its infection flow so as to stay under the radar and evade security software, while staging nearly 100 attacks over the last three months. "One of the main characteristics […] is the modular attack which gives the attackers the ability to change only a small part of the whole in order to avoid detection," researchers from Check Point Research said in a report shared with The Hacker News. The latest wave of attacks are said to primarily target victims located in Brazil, Chile, Mexico, Peru, and Spain. The development comes after Spanish law enforcement agencies in July 2021  arrested  16 individuals belonging to a criminal network in connection with operating Mekotio and another banking malware called Grandoreiro as part of a social engineering campaign targeting financial institutions in Europe. The evolved version of the Mekotio malware strain is designed for compromising Windows systems wit

New Android Malware Steals Financial Data from 378 Banking and Wallet Apps

New Android Malware Steals Financial Data from 378 Banking and Wallet Apps
September 27, 2021Ravie Lakshmanan
The operators behind the BlackRock mobile malware have surfaced back with a new Android banking trojan called  ERMAC  that targets Poland and has its roots in the infamous Cerberus malware, according to the latest research. "The new trojan already has active distribution campaigns and is targeting 378 banking and wallet apps with overlays," ThreatFabric's CEO Cengiz Han Sahin said in an emailed statement. First campaigns involving ERMAC are believed to have begun in late August under the guise of the Google Chrome app. Since then, the attacks have expanded to include a range of apps such as banking, media players, delivery services, government applications, and antivirus solutions like  McAfee . Almost fully based on the notorious banking trojan  Cerberus , the Dutch cybersecurity firm's findings come from forum posts made by an actor named DukeEugene last month on August 17, inviting prospective customers to "rent a new android botnet with wide functionalit
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.